Freeradius-Users Digest, Vol 214, Issue 31 Re: pam_radius with only otp (Jorge Pereira)
Joe Jones
09cicada at gmail.com
Sat Mar 4 22:03:29 UTC 2023
On Tue, Feb 28, 2023, 3:45 AM <freeradius-users-request at lists.freeradius.org>
wrote:
> Send Freeradius-Users mailing list submissions to
> freeradius-users at lists.freeradius.org
>
> To subscribe or unsubscribe via the World Wide Web, visit
> https://lists.freeradius.org/mailman/listinfo/freeradius-users
> or, via email, send a message with subject or body 'help' to
> freeradius-users-request at lists.freeradius.org
>
> You can reach the person managing the list at
> freeradius-users-owner at lists.freeradius.org
>
> When replying, please edit your Subject line so it is more specific
> than "Re: Contents of Freeradius-Users digest..."
>
>
> Today's Topics:
>
> 1. Re: pam_radius with only otp (Jorge Pereira)
> 2. Re: How to check the Extended Key Usage in freeradius?
> (Alan DeKok)
> 3. EAP-TLS default config (clement.legoffic at kelio.com)
>
>
> ----------------------------------------------------------------------
>
> Message: 1
> Date: Mon, 27 Feb 2023 14:36:08 -0300
> From: Jorge Pereira <jpereira at freeradius.org>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: pam_radius with only otp
> Message-ID: <216B4E15-D452-448B-B9A5-163889996A25 at freeradius.org>
> Content-Type: text/plain; charset=us-ascii
>
> The pam_radius just forward to the FreeRADIUS. In that case, you should do
> that trick there.
>
Thank you for the reply. I do not understand what is mean, can you please
elaborate?
I am using a 3rd party radius server. O ce again, the password + otp works
fine but username + otp does not.
Thanks
>
> > On 23 Feb 2023, at 19:31, Joe Jones <09cicada at gmail.com> wrote:
> >
> > Hi all,
> >
> > Is it possible to use the pam_radius .so module with only a otp? It works
> > fine with a password+otp but I cannot get it working with only otp.
> >
> > Thanks
> > -
> > List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
> Jorge Pereira
> jpereira at networkradius.com
>
>
>
>
>
> ------------------------------
>
> Message: 2
> Date: Mon, 27 Feb 2023 13:34:02 -0500
> From: Alan DeKok <aland at deployingradius.com>
> To: FreeRadius users mailing list
> <freeradius-users at lists.freeradius.org>
> Subject: Re: How to check the Extended Key Usage in freeradius?
> Message-ID: <9ED0EA34-872E-4445-88E0-BC3A4AE4F241 at deployingradius.com>
> Content-Type: text/plain; charset=us-ascii
>
> On Feb 27, 2023, at 4:18 AM, Dentzer, Daniel <Dentzer at cpa.de> wrote:
> > It seems that this doesn't work for me.
>
> Read the debug log. If there's an extended key usage OID, it will show
> up as TLS-Client-Cert-X509v3-Extended-Key-Usage-OID.
>
> If there's no extended key usage OID, them it won't show up.
>
> > In the session-state is only TLS-Session-Information,
> TLS-Session-Cipher-Suite, TLS-Session-Version.
> > But it seems I can work directly with TLS-Client-Cert-Issuer and
> TLS-Client-Cert-Subject-Alt-Name-Dns, but not with
> TLS-Client-Cert-X509v3-Extended-Key-Usage-OID.
>
> Does it exist?
>
> Does it show up in the debug log?
>
> The debug log shows every TLS related attribute it creates.
>
> > Is there a way to get TLS-Client-Cert-X509v3-Extended-Key-Usage-OID
> > - in the session-state
>
> Does it exist?
>
> > (see below ' (11) policy debug_session_state {')
> > Or
> > - like TLS-Client-Cert-Issuer to use it directly
>
> Does TLS-Client-Cert-Issuer exist?
>
> > ...
> > freeradius | (10) eap_tls: (TLS) Creating attributes from server
> certificate
> > freeradius | (10) eap_tls: TLS-Cert-Serial :=
> "1400000002219c173715ec84d9000000000002"
> > freeradius | (10) eap_tls: TLS-Cert-Expiration := "20511007092213Z"
> > freeradius | (10) eap_tls: TLS-Cert-Valid-Since := "211007115340Z"
> > freeradius | (10) eap_tls: TLS-Cert-Subject :=
> "/DC=org/DC=example/CN=XY Sub CA"
> > freeradius | (10) eap_tls: TLS-Cert-Issuer :=
> "/C=xxx/ST=xxx/L=xxx/O=xxx/CN=XY Root CA"
> > freeradius | (10) eap_tls: TLS-Cert-Common-Name := "XY Sub CA"
> > freeradius | (10) eap_tls: (TLS) Creating attributes from client
> certificate
> > freeradius | (10) eap_tls: TLS-Client-Cert-Serial :=
> "16000028666eef874492e150cd000000002866"
> > freeradius | (10) eap_tls: TLS-Client-Cert-Expiration :=
> "240209105026Z"
> > freeradius | (10) eap_tls: TLS-Client-Cert-Valid-Since :=
> "230209105026Z"
> > freeradius | (10) eap_tls: TLS-Client-Cert-Issuer :=
> "/DC=org/DC=example/CN=XY Sub CA"
> > freeradius | (10) eap_tls: TLS-Client-Cert-Subject-Alt-Name-Dns := "
> host1.XY.example.org"
> > freeradius | (10) eap_tls: TLS-Client-Cert-X509v3-Extended-Key-Usage
> += "TLS Web Client Authentication,
> 1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.7"
> > freeradius | (10) eap_tls:
> TLS-Client-Cert-X509v3-Subject-Key-Identifier +=
> "29:AC:A7:3F:AD:4D:C1:29:E6:1D:0B:42:B5:69:2B:0C:B2:1E:EB:16"
> > freeradius | (10) eap_tls:
> TLS-Client-Cert-X509v3-Authority-Key-Identifier +=
> "keyid:C0:24:69:05:3E:2C:E0:26:AD:85:D9:9E:9D:16:B2:E8:4C:62:81:EC\n"
> > freeradius | (10) eap_tls:
> TLS-Client-Cert-X509v3-Extended-Key-Usage-OID += "1.3.6.1.5.5.7.3.2"
> > freeradius | (10) eap_tls:
> TLS-Client-Cert-X509v3-Extended-Key-Usage-OID +=
> "1.3.6.1.4.1.311.21.8.16510850.12376249.15288979.13711710.10124257.18.15210945.7878633"
>
> OK, that's good. For the initial creation, those attributes are in the
> request. For subsequent packets, they should be in the session-state list.
>
> > ...
> > freeradius | (11) Restoring &session-state
> > freeradius | (11) &session-state:Framed-MTU = 1014
> > freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv
> TLS 1.3 Handshake, ClientHello"
> > freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send
> TLS 1.2 Handshake, ServerHello"
> > freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send
> TLS 1.2 Handshake, Certificate"
> > freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send
> TLS 1.2 Handshake, ServerKeyExchange"
> > freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send
> TLS 1.2 Handshake, CertificateRequest"
> > freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send
> TLS 1.2 Handshake, ServerHelloDone"
> > freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv
> TLS 1.2 Handshake, Certificate"
> > freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv
> TLS 1.2 Handshake, ClientKeyExchange"
> > freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv
> TLS 1.2 Handshake, CertificateVerify"
> > freeradius | (11) &session-state:TLS-Session-Information = "(TLS) recv
> TLS 1.2 Handshake, Finished"
> > freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send
> TLS 1.2 ChangeCipherSpec"
> > freeradius | (11) &session-state:TLS-Session-Information = "(TLS) send
> TLS 1.2 Handshake, Finished"
> > freeradius | (11) &session-state:TLS-Session-Cipher-Suite =
> "ECDHE-RSA-AES256-GCM-SHA384"
> > freeradius | (11) &session-state:TLS-Session-Version = "TLS 1.2"
>
> Hmm... you can always copy the attributes to the session-state list,
> where they will automatically be stored and restored.
>
> I'll have to check what's going on behind the scenes. It's been a while
> since I used v3 like this.
>
> Alan DeKok.
>
>
>
> ------------------------------
>
> Message: 3
> Date: Tue, 28 Feb 2023 10:44:38 +0000
> From: "clement.legoffic at kelio.com" <clement.legoffic at kelio.com>
> To: "freeradius-users at lists.freeradius.org"
> <freeradius-users at lists.freeradius.org>
> Subject: EAP-TLS default config
> Message-ID: <0c68af239c1c4ccea93f58f34928defd at kelio.com>
> Content-Type: text/plain; charset="iso-8859-1"
>
> Hello,
>
> I started to learn network authentication and I want to setup a litle poc
> with Freeradius and EAP-TLS.
> I have previously tested my working configuration with the bob user as in
> the freeradius docker example.
>
> I use freeradius docker image
> https://hub.docker.com/r/freeradius/freeradius-server/ in a container.
> The configs files have been extracted to be configured in my host system
> and mounted at container's start.
>
> I have follow this tutorial for the radiusd.conf file :
> https://www.dslreports.com/forum/r9286052-FreeRADIUS-WinXP-Authentication-Setup~mode=flat
>
> As I use the container's default keys, the user file is just a line :
>
> user at example.org Auth-Type := EAP, EAP-Type := EAP-TLS
>
> On my android phone, I connect to a dlink wifi access point (DWL-2100AP)
> configured for 802.1X.
> The ca.pem has been installed on my phone in order to use it for EAP-TLS
> when I select it.
> The username I use on the phone side is "user at example.org", the domain is
> "example.org".
>
> When I click on connect on my phone, I get an access reject as shown in
> the debug output below.
> I wanted to know if I am doing wrong somewhere and possibly where ?
>
> (Freeradius Version 3.2.0)
>
> (0) Received Access-Request Id 0 from 10.17.30.60:1061 to 172.17.0.2:1812
> length 212
> (0) Message-Authenticator = 0x46c9071611e746712984ef9165b516eb
> (0) Service-Type = Framed-User
> (0) User-Name = "user at example.org"
> (0) Framed-MTU = 1488
> (0) Called-Station-Id = "00-26-5A-84-0D-89:dlink"
> (0) Calling-Station-Id = "22-85-59-7C-27-7A"
> (0) NAS-Identifier = "D-Link Access Point"
> (0) NAS-Port-Type = Wireless-802.11
> (0) Connect-Info = "CONNECT 54Mbps 802.11g"
> (0) EAP-Message = 0x020000150175736572406578616d706c652e6f7267
> (0) NAS-IP-Address = 10.17.30.60
> (0) NAS-Port = 1
> (0) NAS-Port-Id = "STA port # 1"
> (0) # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> (0) authorize {
> (0) policy filter_username {
> (0) if (&User-Name) {
> (0) if (&User-Name) -> TRUE
> (0) if (&User-Name) {
> (0) if (&User-Name =~ / /) {
> (0) if (&User-Name =~ / /) -> FALSE
> (0) if (&User-Name =~ /@[^@]*@/ ) {
> (0) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (0) if (&User-Name =~ /\.\./ ) {
> (0) if (&User-Name =~ /\.\./ ) -> FALSE
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (0) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
> -> FALSE
> (0) if (&User-Name =~ /\.$/) {
> (0) if (&User-Name =~ /\.$/) -> FALSE
> (0) if (&User-Name =~ /@\./) {
> (0) if (&User-Name =~ /@\./) -> FALSE
> (0) } # if (&User-Name) = notfound
> (0) } # policy filter_username = notfound
> (0) [preprocess] = ok
> (0) [chap] = noop
> (0) [mschap] = noop
> (0) [digest] = noop
> (0) suffix: Checking for suffix after "@"
> (0) suffix: Looking up realm "example.org" for User-Name = "
> user at example.org"
> (0) suffix: No such realm "example.org"
> (0) [suffix] = noop
> (0) eap: Peer sent EAP Response (code 2) ID 0 length 21
> (0) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
> rest of authorize
> (0) [eap] = ok
> (0) } # authorize = ok
> (0) Found Auth-Type = eap
> (0) # Executing group from file /etc/freeradius/sites-enabled/default
> (0) authenticate {
> (0) eap: Peer sent packet with method EAP Identity (1)
> (0) eap: Calling submodule eap_tls to process data
> (0) eap_tls: (TLS) Initiating new session
> (0) eap_tls: (TLS) Setting verify mode to require certificate from client
> (0) eap: Sending EAP Request (code 1) ID 1 length 6
> (0) eap: EAP session adding &reply:State = 0xbced3a8cbcec3700
> (0) [eap] = handled
> (0) } # authenticate = handled
> (0) Using Post-Auth-Type Challenge
> (0) # Executing group from file /etc/freeradius/sites-enabled/default
> (0) Challenge { ... } # empty sub-section is ignored
> (0) session-state: Saving cached attributes
> (0) Framed-MTU = 994
> (0) Sent Access-Challenge Id 0 from 172.17.0.2:1812 to 10.17.30.60:1061
> length 64
> (0) EAP-Message = 0x010100060d20
> (0) Message-Authenticator = 0x00000000000000000000000000000000
> (0) State = 0xbced3a8cbcec37005a032dcfba50bf3a
> (0) Finished request
> Waking up in 4.9 seconds.
> (1) Received Access-Request Id 1 from 10.17.30.60:1061 to 172.17.0.2:1812
> length 215
> (1) Message-Authenticator = 0x2660937420c3367bd057db626b743cc5
> (1) Service-Type = Framed-User
> (1) User-Name = "user at example.org"
> (1) Framed-MTU = 1488
> (1) State = 0xbced3a8cbcec37005a032dcfba50bf3a
> (1) Called-Station-Id = "00-26-5A-84-0D-89:dlink"
> (1) Calling-Station-Id = "22-85-59-7C-27-7A"
> (1) NAS-Identifier = "D-Link Access Point"
> (1) NAS-Port-Type = Wireless-802.11
> (1) Connect-Info = "CONNECT 54Mbps 802.11g"
> (1) EAP-Message = 0x020100060300
> (1) NAS-IP-Address = 10.17.30.60
> (1) NAS-Port = 1
> (1) NAS-Port-Id = "STA port # 1"
> (1) Restoring &session-state
> (1) &session-state:Framed-MTU = 994
> (1) # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> (1) authorize {
> (1) policy filter_username {
> (1) if (&User-Name) {
> (1) if (&User-Name) -> TRUE
> (1) if (&User-Name) {
> (1) if (&User-Name =~ / /) {
> (1) if (&User-Name =~ / /) -> FALSE
> (1) if (&User-Name =~ /@[^@]*@/ ) {
> (1) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (1) if (&User-Name =~ /\.\./ ) {
> (1) if (&User-Name =~ /\.\./ ) -> FALSE
> (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (1) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
> -> FALSE
> (1) if (&User-Name =~ /\.$/) {
> (1) if (&User-Name =~ /\.$/) -> FALSE
> (1) if (&User-Name =~ /@\./) {
> (1) if (&User-Name =~ /@\./) -> FALSE
> (1) } # if (&User-Name) = notfound
> (1) } # policy filter_username = notfound
> (1) [preprocess] = ok
> (1) [chap] = noop
> (1) [mschap] = noop
> (1) [digest] = noop
> (1) suffix: Checking for suffix after "@"
> (1) suffix: Looking up realm "example.org" for User-Name = "
> user at example.org"
> (1) suffix: No such realm "example.org"
> (1) [suffix] = noop
> (1) eap: Peer sent EAP Response (code 2) ID 1 length 6
> (1) eap: No EAP Start, assuming it's an on-going EAP conversation
> (1) [eap] = updated
> (1) files: users: Matched entry user at example.org at line 2
> (1) [files] = ok
> (1) [expiration] = noop
> (1) [logintime] = noop
> Not doing PAP as Auth-Type is already set.
> (1) [pap] = noop
> (1) } # authorize = updated
> (1) Found Auth-Type = eap
> (1) # Executing group from file /etc/freeradius/sites-enabled/default
> (1) authenticate {
> (1) eap: Expiring EAP session with state 0xbced3a8cbcec3700
> (1) eap: Finished EAP session with state 0xbced3a8cbcec3700
> (1) eap: Previous EAP request found for state 0xbced3a8cbcec3700, released
> from the list
> (1) eap: Peer sent packet with method EAP NAK (3)
> (1) eap: Peer NAK'd indicating it is not willing to continue
> (1) eap: Sending EAP Failure (code 4) ID 1 length 4
> (1) eap: Failed in EAP select
> (1) [eap] = invalid
> (1) } # authenticate = invalid
> (1) Failed to authenticate the user
> (1) Using Post-Auth-Type Reject
> (1) # Executing group from file /etc/freeradius/sites-enabled/default
> (1) Post-Auth-Type REJECT {
> (1) attr_filter.access_reject: EXPAND %{User-Name}
> (1) attr_filter.access_reject: --> user at example.org
> (1) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (1) [attr_filter.access_reject] = updated
> (1) [eap] = noop
> (1) policy remove_reply_message_if_eap {
> (1) if (&reply:EAP-Message && &reply:Reply-Message) {
> (1) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (1) else {
> (1) [noop] = noop
> (1) } # else = noop
> (1) } # policy remove_reply_message_if_eap = noop
> (1) } # Post-Auth-Type REJECT = updated
> (1) Delaying response for 1.000000 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.6 seconds.
> (1) Sending delayed response
> (1) Sent Access-Reject Id 1 from 172.17.0.2:1812 to 10.17.30.60:1061
> length 44
> (1) EAP-Message = 0x04010004
> (1) Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 3.9 seconds.
> (2) Received Access-Request Id 0 from 10.17.30.60:1063 to 172.17.0.2:1812
> length 212
> (2) Message-Authenticator = 0x10dad86d8ca96900ee9e41a3f3215e04
> (2) Service-Type = Framed-User
> (2) User-Name = "user at example.org"
> (2) Framed-MTU = 1488
> (2) Called-Station-Id = "00-26-5A-84-0D-89:dlink"
> (2) Calling-Station-Id = "22-85-59-7C-27-7A"
> (2) NAS-Identifier = "D-Link Access Point"
> (2) NAS-Port-Type = Wireless-802.11
> (2) Connect-Info = "CONNECT 54Mbps 802.11g"
> (2) EAP-Message = 0x020000150175736572406578616d706c652e6f7267
> (2) NAS-IP-Address = 10.17.30.60
> (2) NAS-Port = 1
> (2) NAS-Port-Id = "STA port # 1"
> (2) # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> (2) authorize {
> (2) policy filter_username {
> (2) if (&User-Name) {
> (2) if (&User-Name) -> TRUE
> (2) if (&User-Name) {
> (2) if (&User-Name =~ / /) {
> (2) if (&User-Name =~ / /) -> FALSE
> (2) if (&User-Name =~ /@[^@]*@/ ) {
> (2) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (2) if (&User-Name =~ /\.\./ ) {
> (2) if (&User-Name =~ /\.\./ ) -> FALSE
> (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (2) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
> -> FALSE
> (2) if (&User-Name =~ /\.$/) {
> (2) if (&User-Name =~ /\.$/) -> FALSE
> (2) if (&User-Name =~ /@\./) {
> (2) if (&User-Name =~ /@\./) -> FALSE
> (2) } # if (&User-Name) = notfound
> (2) } # policy filter_username = notfound
> (2) [preprocess] = ok
> (2) [chap] = noop
> (2) [mschap] = noop
> (2) [digest] = noop
> (2) suffix: Checking for suffix after "@"
> (2) suffix: Looking up realm "example.org" for User-Name = "
> user at example.org"
> (2) suffix: No such realm "example.org"
> (2) [suffix] = noop
> (2) eap: Peer sent EAP Response (code 2) ID 0 length 21
> (2) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
> rest of authorize
> (2) [eap] = ok
> (2) } # authorize = ok
> (2) Found Auth-Type = eap
> (2) # Executing group from file /etc/freeradius/sites-enabled/default
> (2) authenticate {
> (2) eap: Peer sent packet with method EAP Identity (1)
> (2) eap: Calling submodule eap_tls to process data
> (2) eap_tls: (TLS) Initiating new session
> (2) eap_tls: (TLS) Setting verify mode to require certificate from client
> (2) eap: Sending EAP Request (code 1) ID 1 length 6
> (2) eap: EAP session adding &reply:State = 0x61a7200961a62df0
> (2) [eap] = handled
> (2) } # authenticate = handled
> (2) Using Post-Auth-Type Challenge
> (2) # Executing group from file /etc/freeradius/sites-enabled/default
> (2) Challenge { ... } # empty sub-section is ignored
> (2) session-state: Saving cached attributes
> (2) Framed-MTU = 994
> (2) Sent Access-Challenge Id 0 from 172.17.0.2:1812 to 10.17.30.60:1063
> length 64
> (2) EAP-Message = 0x010100060d20
> (2) Message-Authenticator = 0x00000000000000000000000000000000
> (2) State = 0x61a7200961a62df0743c98b3a07aed8f
> (2) Finished request
> Waking up in 1.9 seconds.
> (3) Received Access-Request Id 1 from 10.17.30.60:1063 to 172.17.0.2:1812
> length 215
> (3) Message-Authenticator = 0x2946bae5a640bdd89ef938aa738b4b94
> (3) Service-Type = Framed-User
> (3) User-Name = "user at example.org"
> (3) Framed-MTU = 1488
> (3) State = 0x61a7200961a62df0743c98b3a07aed8f
> (3) Called-Station-Id = "00-26-5A-84-0D-89:dlink"
> (3) Calling-Station-Id = "22-85-59-7C-27-7A"
> (3) NAS-Identifier = "D-Link Access Point"
> (3) NAS-Port-Type = Wireless-802.11
> (3) Connect-Info = "CONNECT 54Mbps 802.11g"
> (3) EAP-Message = 0x020100060300
> (3) NAS-IP-Address = 10.17.30.60
> (3) NAS-Port = 1
> (3) NAS-Port-Id = "STA port # 1"
> (3) Restoring &session-state
> (3) &session-state:Framed-MTU = 994
> (3) # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> (3) authorize {
> (3) policy filter_username {
> (3) if (&User-Name) {
> (3) if (&User-Name) -> TRUE
> (3) if (&User-Name) {
> (3) if (&User-Name =~ / /) {
> (3) if (&User-Name =~ / /) -> FALSE
> (3) if (&User-Name =~ /@[^@]*@/ ) {
> (3) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (3) if (&User-Name =~ /\.\./ ) {
> (3) if (&User-Name =~ /\.\./ ) -> FALSE
> (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (3) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
> -> FALSE
> (3) if (&User-Name =~ /\.$/) {
> (3) if (&User-Name =~ /\.$/) -> FALSE
> (3) if (&User-Name =~ /@\./) {
> (3) if (&User-Name =~ /@\./) -> FALSE
> (3) } # if (&User-Name) = notfound
> (3) } # policy filter_username = notfound
> (3) [preprocess] = ok
> (3) [chap] = noop
> (3) [mschap] = noop
> (3) [digest] = noop
> (3) suffix: Checking for suffix after "@"
> (3) suffix: Looking up realm "example.org" for User-Name = "
> user at example.org"
> (3) suffix: No such realm "example.org"
> (3) [suffix] = noop
> (3) eap: Peer sent EAP Response (code 2) ID 1 length 6
> (3) eap: No EAP Start, assuming it's an on-going EAP conversation
> (3) [eap] = updated
> (3) files: users: Matched entry user at example.org at line 2
> (3) [files] = ok
> (3) [expiration] = noop
> (3) [logintime] = noop
> Not doing PAP as Auth-Type is already set.
> (3) [pap] = noop
> (3) } # authorize = updated
> (3) Found Auth-Type = eap
> (3) # Executing group from file /etc/freeradius/sites-enabled/default
> (3) authenticate {
> (3) eap: Expiring EAP session with state 0x61a7200961a62df0
> (3) eap: Finished EAP session with state 0x61a7200961a62df0
> (3) eap: Previous EAP request found for state 0x61a7200961a62df0, released
> from the list
> (3) eap: Peer sent packet with method EAP NAK (3)
> (3) eap: Peer NAK'd indicating it is not willing to continue
> (3) eap: Sending EAP Failure (code 4) ID 1 length 4
> (3) eap: Failed in EAP select
> (3) [eap] = invalid
> (3) } # authenticate = invalid
> (3) Failed to authenticate the user
> (3) Using Post-Auth-Type Reject
> (3) # Executing group from file /etc/freeradius/sites-enabled/default
> (3) Post-Auth-Type REJECT {
> (3) attr_filter.access_reject: EXPAND %{User-Name}
> (3) attr_filter.access_reject: --> user at example.org
> (3) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (3) [attr_filter.access_reject] = updated
> (3) [eap] = noop
> (3) policy remove_reply_message_if_eap {
> (3) if (&reply:EAP-Message && &reply:Reply-Message) {
> (3) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (3) else {
> (3) [noop] = noop
> (3) } # else = noop
> (3) } # policy remove_reply_message_if_eap = noop
> (3) } # Post-Auth-Type REJECT = updated
> (3) Delaying response for 1.000000 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.6 seconds.
> (3) Sending delayed response
> (3) Sent Access-Reject Id 1 from 172.17.0.2:1812 to 10.17.30.60:1063
> length 44
> (3) EAP-Message = 0x04010004
> (3) Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 0.8 seconds.
> (0) Cleaning up request packet ID 0 with timestamp +74 due to
> cleanup_delay was reached
> (1) Cleaning up request packet ID 1 with timestamp +74 due to
> cleanup_delay was reached
> Waking up in 3.0 seconds.
> (4) Received Access-Request Id 0 from 10.17.30.60:1065 to 172.17.0.2:1812
> length 212
> (4) Message-Authenticator = 0x7e90cef35650d96b0188a6bcc9040100
> (4) Service-Type = Framed-User
> (4) User-Name = "user at example.org"
> (4) Framed-MTU = 1488
> (4) Called-Station-Id = "00-26-5A-84-0D-89:dlink"
> (4) Calling-Station-Id = "22-85-59-7C-27-7A"
> (4) NAS-Identifier = "D-Link Access Point"
> (4) NAS-Port-Type = Wireless-802.11
> (4) Connect-Info = "CONNECT 54Mbps 802.11g"
> (4) EAP-Message = 0x020000150175736572406578616d706c652e6f7267
> (4) NAS-IP-Address = 10.17.30.60
> (4) NAS-Port = 1
> (4) NAS-Port-Id = "STA port # 1"
> (4) # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> (4) authorize {
> (4) policy filter_username {
> (4) if (&User-Name) {
> (4) if (&User-Name) -> TRUE
> (4) if (&User-Name) {
> (4) if (&User-Name =~ / /) {
> (4) if (&User-Name =~ / /) -> FALSE
> (4) if (&User-Name =~ /@[^@]*@/ ) {
> (4) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (4) if (&User-Name =~ /\.\./ ) {
> (4) if (&User-Name =~ /\.\./ ) -> FALSE
> (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (4) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
> -> FALSE
> (4) if (&User-Name =~ /\.$/) {
> (4) if (&User-Name =~ /\.$/) -> FALSE
> (4) if (&User-Name =~ /@\./) {
> (4) if (&User-Name =~ /@\./) -> FALSE
> (4) } # if (&User-Name) = notfound
> (4) } # policy filter_username = notfound
> (4) [preprocess] = ok
> (4) [chap] = noop
> (4) [mschap] = noop
> (4) [digest] = noop
> (4) suffix: Checking for suffix after "@"
> (4) suffix: Looking up realm "example.org" for User-Name = "
> user at example.org"
> (4) suffix: No such realm "example.org"
> (4) [suffix] = noop
> (4) eap: Peer sent EAP Response (code 2) ID 0 length 21
> (4) eap: EAP-Identity reply, returning 'ok' so we can short-circuit the
> rest of authorize
> (4) [eap] = ok
> (4) } # authorize = ok
> (4) Found Auth-Type = eap
> (4) # Executing group from file /etc/freeradius/sites-enabled/default
> (4) authenticate {
> (4) eap: Peer sent packet with method EAP Identity (1)
> (4) eap: Calling submodule eap_tls to process data
> (4) eap_tls: (TLS) Initiating new session
> (4) eap_tls: (TLS) Setting verify mode to require certificate from client
> (4) eap: Sending EAP Request (code 1) ID 1 length 6
> (4) eap: EAP session adding &reply:State = 0x10b8d47310b9d97a
> (4) [eap] = handled
> (4) } # authenticate = handled
> (4) Using Post-Auth-Type Challenge
> (4) # Executing group from file /etc/freeradius/sites-enabled/default
> (4) Challenge { ... } # empty sub-section is ignored
> (4) session-state: Saving cached attributes
> (4) Framed-MTU = 994
> (4) Sent Access-Challenge Id 0 from 172.17.0.2:1812 to 10.17.30.60:1065
> length 64
> (4) EAP-Message = 0x010100060d20
> (4) Message-Authenticator = 0x00000000000000000000000000000000
> (4) State = 0x10b8d47310b9d97a65ed29a95486330e
> (4) Finished request
> Waking up in 1.8 seconds.
> (5) Received Access-Request Id 1 from 10.17.30.60:1065 to 172.17.0.2:1812
> length 215
> (5) Message-Authenticator = 0x4024c8a365e14657a651ceb71b9f5f61
> (5) Service-Type = Framed-User
> (5) User-Name = "user at example.org"
> (5) Framed-MTU = 1488
> (5) State = 0x10b8d47310b9d97a65ed29a95486330e
> (5) Called-Station-Id = "00-26-5A-84-0D-89:dlink"
> (5) Calling-Station-Id = "22-85-59-7C-27-7A"
> (5) NAS-Identifier = "D-Link Access Point"
> (5) NAS-Port-Type = Wireless-802.11
> (5) Connect-Info = "CONNECT 54Mbps 802.11g"
> (5) EAP-Message = 0x020100060300
> (5) NAS-IP-Address = 10.17.30.60
> (5) NAS-Port = 1
> (5) NAS-Port-Id = "STA port # 1"
> (5) Restoring &session-state
> (5) &session-state:Framed-MTU = 994
> (5) # Executing section authorize from file
> /etc/freeradius/sites-enabled/default
> (5) authorize {
> (5) policy filter_username {
> (5) if (&User-Name) {
> (5) if (&User-Name) -> TRUE
> (5) if (&User-Name) {
> (5) if (&User-Name =~ / /) {
> (5) if (&User-Name =~ / /) -> FALSE
> (5) if (&User-Name =~ /@[^@]*@/ ) {
> (5) if (&User-Name =~ /@[^@]*@/ ) -> FALSE
> (5) if (&User-Name =~ /\.\./ ) {
> (5) if (&User-Name =~ /\.\./ ) -> FALSE
> (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/)) {
> (5) if ((&User-Name =~ /@/) && (&User-Name !~ /@(.+)\.(.+)$/))
> -> FALSE
> (5) if (&User-Name =~ /\.$/) {
> (5) if (&User-Name =~ /\.$/) -> FALSE
> (5) if (&User-Name =~ /@\./) {
> (5) if (&User-Name =~ /@\./) -> FALSE
> (5) } # if (&User-Name) = notfound
> (5) } # policy filter_username = notfound
> (5) [preprocess] = ok
> (5) [chap] = noop
> (5) [mschap] = noop
> (5) [digest] = noop
> (5) suffix: Checking for suffix after "@"
> (5) suffix: Looking up realm "example.org" for User-Name = "
> user at example.org"
> (5) suffix: No such realm "example.org"
> (5) [suffix] = noop
> (5) eap: Peer sent EAP Response (code 2) ID 1 length 6
> (5) eap: No EAP Start, assuming it's an on-going EAP conversation
> (5) [eap] = updated
> (5) files: users: Matched entry user at example.org at line 2
> (5) [files] = ok
> (5) [expiration] = noop
> (5) [logintime] = noop
> Not doing PAP as Auth-Type is already set.
> (5) [pap] = noop
> (5) } # authorize = updated
> (5) Found Auth-Type = eap
> (5) # Executing group from file /etc/freeradius/sites-enabled/default
> (5) authenticate {
> (5) eap: Expiring EAP session with state 0x10b8d47310b9d97a
> (5) eap: Finished EAP session with state 0x10b8d47310b9d97a
> (5) eap: Previous EAP request found for state 0x10b8d47310b9d97a, released
> from the list
> (5) eap: Peer sent packet with method EAP NAK (3)
> (5) eap: Peer NAK'd indicating it is not willing to continue
> (5) eap: Sending EAP Failure (code 4) ID 1 length 4
> (5) eap: Failed in EAP select
> (5) [eap] = invalid
> (5) } # authenticate = invalid
> (5) Failed to authenticate the user
> (5) Using Post-Auth-Type Reject
> (5) # Executing group from file /etc/freeradius/sites-enabled/default
> (5) Post-Auth-Type REJECT {
> (5) attr_filter.access_reject: EXPAND %{User-Name}
> (5) attr_filter.access_reject: --> user at example.org
> (5) attr_filter.access_reject: Matched entry DEFAULT at line 11
> (5) [attr_filter.access_reject] = updated
> (5) [eap] = noop
> (5) policy remove_reply_message_if_eap {
> (5) if (&reply:EAP-Message && &reply:Reply-Message) {
> (5) if (&reply:EAP-Message && &reply:Reply-Message) -> FALSE
> (5) else {
> (5) [noop] = noop
> (5) } # else = noop
> (5) } # policy remove_reply_message_if_eap = noop
> (5) } # Post-Auth-Type REJECT = updated
> (5) Delaying response for 1.000000 seconds
> Waking up in 0.3 seconds.
> Waking up in 0.6 seconds.
> (5) Sending delayed response
> (5) Sent Access-Reject Id 1 from 172.17.0.2:1812 to 10.17.30.60:1065
> length 44
> (5) EAP-Message = 0x04010004
> (5) Message-Authenticator = 0x00000000000000000000000000000000
> Waking up in 0.8 seconds.
> (2) Cleaning up request packet ID 0 with timestamp +77 due to
> cleanup_delay was reached
> (3) Cleaning up request packet ID 1 with timestamp +77 due to
> cleanup_delay was reached
> Waking up in 3.1 seconds.
> (4) Cleaning up request packet ID 0 with timestamp +80 due to
> cleanup_delay was reached
> (5) Cleaning up request packet ID 1 with timestamp +80 due to
> cleanup_delay was reached
> Ready to process requests
>
> Thanks,
>
> Cl?ment
>
>
>
>
>
>
> Ce message et toutes les pieces jointes (ci-apres le "message") sont
> etablis a l'intention exclusive de ses destinataires.
> Si vous recevez ce message par erreur, merci de le detruire et d'en
> avertir immediatement l'expediteur par e-mail.
> Toute utilisation de ce message non conforme a sa destination, toute
> diffusion ou toute publication, totale ou partielle, est interdite, sauf
> autorisation expresse. Les communications sur Internet n'etant pas
> securisees, l'expediteur informe qu'il ne peut accepter aucune
> responsabilite quant au contenu de ce message.
> This mail message and attachments (the "message") are solely intended for
> the addresses. It is confidential in nature.
> If you receive this message in error, please delete it and immediately
> notify the sender by e-mail.
> Any use other than its intended purpose, dissemination or disclosure,
> either whole or partial, is prohibited except if formal approval is
> granted. As communication on the Internet is not secure, the sender does
> not accept responsibility for the content of this message.
>
>
> ------------------------------
>
> Subject: Digest Footer
>
> -
> List info/subscribe/unsubscribe? See
> http://www.freeradius.org/list/users.html
>
>
> ------------------------------
>
> End of Freeradius-Users Digest, Vol 214, Issue 31
> *************************************************
>
More information about the Freeradius-Users
mailing list